What is the name of the domain?
maplefighters.io
What is the error number?
403
What is the error message?
Forbidden
What is the issue you’re encountering
Deny all connections except from Cloudflare IP ranges blocks HTTPs connections.
What steps have you taken to resolve the issue?
Allow all connections and not only connections from Cloudflare IP ranges (proxy).
What are the steps to reproduce the issue?
Start nginx server (:443 with SSL/TLS enabled).
Deny all connections.
Allow connections only from Cloudflare IP ranges.
ben.ukhanov:
Cloudflare IP ranges
I’m using Cloudflare IP ranges that copied from here, an official website of Cloudflare: IP Ranges
1 Like
Sounds like you didn’t allow port 443 but only 80
What is your firewall config exactly?
1 Like
It’s an Ubuntu Server (DigitalOcean Droplet). The Nginx server is running inside a Docker container.
This is the firewall config, but again, Nginx is running inside a Docker container:
user@maplefighters:~# ufw status
Status: active
To Action From
-- ------ ----
22/tcp LIMIT Anywhere
2375/tcp ALLOW Anywhere
2376/tcp ALLOW Anywhere
22/tcp (v6) LIMIT Anywhere (v6)
2375/tcp (v6) ALLOW Anywhere (v6)
2376/tcp (v6) ALLOW Anywhere (v6)
When I remove deny all
in Nginx config [1] [2] - HTTPs works.
It means firewall config isn’t the issue, but the Cloudflare IP ranges don’t allow HTTPs connection?
[1] maple-fighters/src/frontend/nginx.conf at main · codingben/maple-fighters · GitHub
[2] maple-fighters/src/frontend/cloudflare-ips.conf at main · codingben/maple-fighters · GitHub
As a proof, I’ve added 443 to the server firewall:
user@maplefighters:~# ufw status
Status: active
To Action From
-- ------ ----
22/tcp LIMIT Anywhere
2375/tcp ALLOW Anywhere
2376/tcp ALLOW Anywhere
443/tcp ALLOW Anywhere
22/tcp (v6) LIMIT Anywhere (v6)
2375/tcp (v6) ALLOW Anywhere (v6)
2376/tcp (v6) ALLOW Anywhere (v6)
443/tcp (v6) ALLOW Anywhere (v6)
It doesn’t work work. I’m allowing connections only from Cloudflare IP ranges. I’m not able to establish a connection to the server using HTTPs (It worked with HTTP before).
@WalshyMVP Please try now to access the https://maplefighters.io by yourself and you’ll see 403 Forbidden error.
The reason I prefer connections only from Cloudflare IP ranges is for network security. Am I right that I do it, at all? Is it more safe to allow connections from Cloudflare IP ranges?
Laudian
September 14, 2024, 7:47pm
7
The 403 is from your nginx, so it is obviously working.
3 Likes
Laudian
September 14, 2024, 7:50pm
8
Can you check that you are using the Full (Strict) SSL mode on Cloudflare?
1 Like
The 403 is from your nginx, so it is obviously working.
Yes, because I want to allow connections only from Cloudflare IP ranges that seems like don’t support HTTPs connections.
Can you check that you are using the Full (Strict) SSL mode on Cloudflare?
Yes, I’ve already enabled Full (Strick) SSL mode on Cloudflare. This is how it works without allowing connections only from Cloudflare IP ranges.
Laudian
September 15, 2024, 7:35am
10
Ok, I understand now that you want to block all other IPs in Nginx, not in ufw/iptables.
I would recommend to only allow Cloudflare IPs to make connections on port 80/443 in ufw. But if you want to block in Nginx, you need to put the deny all
rule at the end, as it works on a first match principle.
https://nginx.org/en/docs/http/ngx_http_access_module.html
3 Likes
@Laudian Thank you very much! you helped me a lot, I really appreciate it (and also very quick responses!).
But if you want to block in Nginx, you need to put the deny all rule at the end, as it works on a first match principle.
I’ve moved the deny all
to the end after allow
rules and it works now! I also checked Nginx logs and see only connections from Cloudflare servers.
I would recommend to only allow Cloudflare IPs to make connections on port 80/443 in ufw.
You’re absolutely right, I should do it this way. Thanks again
1 Like
I’m currently using port 80 for HTTP at 192.168.1.100, but I haven’t configured port 443. My firewall setup only allows port 80.
system
Closed
September 18, 2024, 2:51pm
13
This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.